The consistent demand for computer and other network services has increased the need for better network security tools. A variety of techniques have been deployed to shield networks from hacking and other intrusions. Those protective techniques may be categorized as either risk avoidance systems or risk management systems.
Risk avoidance techniques involve introducing a barrier to prevent inappropriate entry into a network. Such systems place reliance on keeping intruders out of the network entirely, rather than monitoring inappropriate network traffic after logging in. Risk avoidance systems include dedicated network firewalls and mandatory encryption over the network.
Risk management approaches, in contrast, adopt the philosophy that a network can not keep everyone out, and so rely upon detection of intrusive activity after logging in. Unfortunately, intrusion detection systems often lend a false sense of security to systems administrators, while not really solving the underlying security problem. Intrusion detection systems produce a high rate of false positive identification, by inaccurately reporting legitimate network activity as suspicious. Intrusion detection systems also often overwhelm a system's administrator with too much detail about network behavior, and moreover are configured to trigger a report only after discovery of a network attack. Of course, at that point in time it may be too late to prevent the attack or to remedy much of the possible damage.
After-the-fact auditing systems provide another type of tool used under the risk management approach. Auditing systems are implemented as a host-based technique, in which a central server, running the operating system, logs the activity of client computers in a central storage area. However, the host computer running the audit system itself may be susceptible to being attacked internally or externally, creating a point of vulnerability in the overall surveillance.
Some other auditing products employ so-called sniffer technology to monitor network traffic. Data streams collected by such products look for specific types of network traffic by, for example, detecting electronic mail uploads by monitoring port 25 for simple mail transfer protocol (SMTP) events. However, most networks carry a large amount of traffic and simple sniffer type tools do not help sift through the volume. Other drawbacks exist.
In light of the foregoing, more robust and comprehensive network security technology is desirable.